What is an electronic travel voucher? The answer is more difficult than it may seem

The State Information System “Unified Information System of Electronic Travel Vouchers” (GIS EP) is designed to monitor the tourist services market in Russia. It ensures the safety of tourists and transparent provision of services.

The GIS was developed over several years, and on November 15, 2023, it became mandatory for tour operators and travel agents who sell foreign trips. They must transfer information to the system on fully paid tours with a flight and accommodation for more than one night. And from September 1, the obligations also extend to other market participants who provide inbound and domestic tourism services.

We at Selectel looked into the issue and together with JSC NTT, a licensee of the FSTEC of Russia and the developer of the GIS “Electronic Travel Package”, held a webinar. In this article, we tell you what travel agents and tour operators should know, how to comply with legal requirements and what changes to expect in 2024. Details under the cut!

The State Information System “Unified Information System of Electronic Travel Vouchers” (GIS EP) is designed to monitor the tourist services market in Russia. It ensures the safety of tourists and transparent provision of services.

Perhaps these texts will also interest you:

Who needs an electronic travel voucher system and why
Is it possible not to connect to the GIS EP
Is it possible to figure it out on your own?
What Selectel offers
Stages of work on connecting the tour operator's IS to the GIS EP
Watch the webinar recording

Who needs an electronic travel voucher system and why


The GIS was developed over several years, and on November 15, 2023, it became mandatory for tour operators and travel agents who sell foreign trips. They must transfer information to the system on fully paid tours with a flight and accommodation for more than one night.

From September 1, 2024, the obligations will also apply to other market participants that provide inbound and domestic tourism services. April 4, 2024, the Ministry of Economic Development, together with the FSTEC of Russia approved the order “Requirements for the protection of information of automated workstations and information (automated) systems of external users (tour operators) connected to the state information system “Electronic Travel Voucher”.

The regulatory document sets the requirements for the security of the tour operator's computer system, which is connected to the GIS EP. Among other things, it is about obtaining a certificate according to the requirements of the FSTEC of Russia, as well as organizing a connection protected by class KS3 cryptography. We will talk about the legislative requirements in more detail a little later.

The system combines information provided by participants within the framework of digital processes. On the part of the state, the GIS EP is an opportunity to monitor tourist offers, issued vouchers, terms of contracts, etc. for compliance with legislative requirements. The GIS generates a document that is provided to the tour operator's clients. This is convenient for both tourists and businesses.

Watch the joint webinar of Selectel and JSC NTT, a licensee of the FSTEC of Russia and a developer of the GIS EP. We will explain all the processes in simple terms and give a step-by-step action plan.

Is it possible not to connect to the GIS EP

Tour operators who do not connect to the GIS EP by September 1, 2024, will be removed from the register of tour operators. It will become impossible to conduct activities in the field of tourism.

However, there are also risks for market representatives who have been connected to the system for a long time. By November 1, 2024, they must comply new safety requirementsotherwise they will be disconnected from the GIS EP and also excluded from the register of tour operators. Reconnection will be possible only if all requirements are met.

Is it possible to figure it out on your own?

Legislation

First, it is necessary to analyze

requirements of the Ministry of Economic Development and the Federal Service for Technical and Export Control of Russia dated April 4, 2024 (outgoing No. D08i-10233)

. This is a complex regulatory act, but the regulation does not end there. You will need the help of lawyers and information security specialists. Finding experts with the necessary qualifications will take a lot of time and money.

Let's look at several key documents that must be met to build a safe and effective solution.

  • Federal Law of 28.05.2022 No. 148-FZ “On Amendments to the Federal Law “On the Fundamentals of Tourism Activity in the Russian Federation”. Obliges operators and travel agents to upload data on tourist trips to the “Electronic Travel Voucher” service.
  • Resolution of the Government of the Russian Federation of 10.10.2023 No. 1664 “On Amendments to the Resolution of the Government of the Russian Federation of March 12, 2022 No. 353”. Establishes important requirements for the deadlines from which it is mandatory to provide information to the GIS EP.
  • Order of the FSTEC of Russia dated 11.02.2013 No. 17 and order of the FSTEC of Russia dated 18.02.2013 No. 21. Certification according to their requirements is mandatory for connection to the GIS EP.
  • Resolution of the Government of the Russian Federation of 01.11.2012 N 1119 “On approval of requirements for the protection of personal data when processing them in personal data information systems.”
  • FSB Order No. 378, as well as the requirements of FSB-certified cryptographic protection tools for the formation of a closed software environment and the use of a trusted boot module to ensure class KS3 for encryption.

Information loading modes

GIS EP supports two modes of data transfer from the tour operator.

1. Manual entry of electronic vouchers via the GIS EP website. In this case, the tour operator employee manually enters information about the sale of the tour product.

2 Automated input of electronic vouchers into the system. The tour operator creates an integration module. Then it sends information about the sale of the tour product using the REST API in automatic mode.

Server: rent or buy?

You have figured out the requirements that need to be met for the tour operator information system. What's next? You need to start searching for services, services and products that meet them. As a rule, the choice begins with the server on which the information system operates. Let's consider several nuances that will arise at this stage.

Connection to the GIS EP must be implemented using class KC3 cryptography. This means that in addition to software protection, hardware protection must be used. To use them, you will need a physical server, so cloud resources are a priori unsuitable. Hardware computing power can be rented as a service (Infrastructure as a Service, IaaS) from a provider, or purchased and deployed on your own.

Why is it easier to use a Selectel server with a hardware-software trusted boot module (HSTBM) than to solve the above-mentioned tasks on your own site (on-premise infrastructure) by purchasing the server yourself?

Firstly, selecting an APMDS for a specific platform is not the easiest task. There are many nuances in the hardware platform – for example, tolerances defined by PCI/PCI-E bus standards or the specifics of the board layout – and in the APMDS itself.

The client (or their contractor) will have to test compatibility in detail in each specific case. However, some information can be obtained from the manufacturers of the APMDZ. For example, Security Code shares on its website compatibility table of PAK “Sobol” with different hardware platforms. However, there is a nuance here: most of the server platforms listed in this table are no longer sold or supported.

Selectel resolves compatibility issues for the customer. We have organized independent testing and verification of motherboards of the provided dedicated servers.

Let's look at other key differences and difficulties that you may encounter when organizing a ready-to-connect GIS EP server on your own.

Certification

If you work on your own site, you will need to implement strict physical security measures. This is the only way to certify the server according to the requirements of the FSTEC of Russia order No. 17, which was mentioned above. When using a rented office or data center, it is necessary for the contractor to implement these security measures in his area of ​​responsibility.

The IaaS model assumes that the provider takes on security measures related to physical access to equipment. Another advantage of IaaS is flexibility: you do not need to move and re-certify the hardware when moving the office. The servers will continue to work in a prepared data center that meets the strictest physical security requirements.

On the implementation of physical security measures on the Selectel side

Certified Firewall

The firewall controls and filters the passing traffic according to the configured rules. To pass the certification, the client will need a hardware firewall (type A).

However, if you decide to deploy and configure a server on your own site, then for fault tolerance, you will most likely need to buy two firewalls: the main one and the backup one. This will ensure a high level of infrastructure availability while replacing the failed equipment.

In case of renting resources using the IaaS model, you purchase one firewall with a guarantee of prompt replacement in case of failure.

Selectel is responsible for uninterruptible power supply, optimal microclimate and prompt service maintenance of servers and firewalls. If the hardware component fails, engineers will replace it within three hours.

At the same time, savings on spare/backup equipment (SPAE) are achieved due to scale. The provider forms the SPAE for thousands of clients, which leads to significant benefits for each of them.

Time

If your server does not meet legal requirements and is not compatible with information security hardware, you will have to order a new one. The wait for hardware can be up to 10 weeks.

At the same time, customers often find the slightest inconsistencies in the configuration after receiving the server. In such a case, you will have to re-place the order and wait for the server to be delivered in a new configuration. Do not forget about the time that full-time IT specialists will spend testing the solution. The wait can be long, since they rarely encounter APMDZ and do not have the necessary experience.

The provider will provide a ready-made server much faster. Errors and inconsistencies in the configuration will be minimized due to greater experience, and the compatibility of the components has already been tested.

Selectel will prepare a server with a firewall in 10 days. And the number of components on its own assembly line covers the needs of even high-performance IS of the largest tour operators. A practical example is the Ostrovok.ru case.

Software certified by FSTEC of Russia

Compatibility of various information security tools with the server and OS is a complex issue, for the solution of which the client will need to involve qualified IT specialists. Among other things, they must have the competencies to configure and administer certified products.

The provider provides a ready-made software and hardware complex, which has already been tested by its IT specialists. Among other things, the provider is already familiar with many nuances and complexities that the client should be warned about. The staff includes experts who know how to correctly configure and administer certified security tools. If additional questions arise regarding the software, technical support will deal with them independently or with the vendor's participation and provide solutions.

What Selectel offers


As a major supplier of IT infrastructure and information security services, we have prepared a solution for tour operators. It can be used to deploy an information system for quick connection to the GIS EP.

How the solution works.

The service is based on the reliable IT infrastructure of Selectel, thanks to which thousands of Russian companies develop their business. The tourism industry is no exception: among the major representatives, Ostrovok.ru and dozens of other tour operators already work with us.

Learn more about how online hotel booking service Ostrovok.ru migrated the infrastructure from the Amazon Web Services cloud to Selectel servers – in the review.

Spoiler: the migration costs paid off within a month, and the cost of the IT infrastructure was reduced by half.

Let's consider what services and solutions we provide to the client as part of the offer.

  • A server that is compatible with all necessary information security tools. The tour operator's information system is installed on it.
  • Trusted boot hardware board. As mentioned earlier, it is needed to meet the requirements of the Russian FSB when creating a secure connection (KS3).
  • Information security tools for OS, antivirus, vulnerability analysis and search service.
  • Hardware firewall (type A). Necessary for certification (GIS KZ) and ensuring network security.
  • One-time installation and configuration of information security tools provided by Selectel. You will not have to involve full-time IT specialists and look for experts with the appropriate skills to test and install the entire set of information security tools.

However, some of the simple work remains on the client. This includes typical tasks that are difficult to delegate to the provider.

The client will need

  • Install your own software (tour operator information system) on the server.
  • Purchase cryptographic information protection tools (CIPS) VipNet PKI Client.
  • Purchase an electronic signature on a certified USB token and transfer it to Selectel.
  • Conclude a separate standard agreement (for Selectel clients) with JSC NTT for certification of the tour operator's information system, which will be created on the basis of a dedicated Selectel server. The document will set out the cost of services for Certification, development of organizational documents, setting up a secure connection and organizing a connection to the GIS EP.

The cost and term of the contract execution are reduced due to the use of standard solutions, as well as the experience of JSC NTT in creating certified information systems based on the Selectel infrastructure.

Stages of work on connecting the tour operator's IS to the GIS EP

We will describe the process in the format of a cheat sheet. Use it as a guide if you want to connect to the GIS EP in the shortest possible time.

1. Assess the business need for automated connection to the GIS EP. Most often, financial benefit arises if hundreds of tour products are issued per month. For smaller scales, manual input of information may be more profitable.

2. Find out whether it is technically possible to connect the existing tour operator IS to the GIS EP. For example, Samotour, Master-Tour and others have such an IS. And for an IS of your own development, you will need to create an API module to exchange data with the GIS EP API.

3. Find out whether it is possible to transfer the IS to a physical server taking into account security requirements. Since certification is required, additional software and equipment certified by the FSTEC of Russia and the FSB of Russia will be used. Here the client may encounter restrictions that concern IT. For example, the type and versions of supported OS.

4. Register in the Selectel control panelapproval of a commercial proposal and ordering of services through a dedicated manager.

5. Sign a contract with the company conducting the certification (JSC NTT).

6. Purchase a cryptographic information protection tool and an electronic signature, and transfer the USB token to Selectel.

7. Get a server with a set of information security tools installed.

8. Install your own software (tour operator IS)

9. Provide access to JSC NTT to conduct certification tests. Installation and configuration of a secure connection to the GIS EP (JSC NTT).

10. Development of organizational documentation for a tour operator, testing of the system and issuance of a certificate of conformity (JSC NTT).

11. The information system is connected to the GIS EP.

After the client has been granted access to the configured IT infrastructure, Selectel ensures operability at the physical level. The client is responsible for the operation of the software and the administration of the information security system.

More about delineation of areas of responsibility

In this case, administration can be transferred to Selectel. A team of DevOps engineers is engaged in supporting such projects.

We can transfer the entire client infrastructure so that the responsible persons will not have to be distracted by solving additional tasks. We even filmed about it the whole video for clarity.

Watch the webinar recording


Do you have any questions about connecting your system to the GIS EP? Watch the joint webinar by Selectel and JSC NTT, a licensee of the FSTEC of Russia and the developer of the GIS “Electronic Travel Permit”. We analyzed all the processes in simple terms and provided a step-by-step action plan.

It will be useful for managers and those responsible for infrastructure in tour operator companies, information security specialists and outsourcing companies supporting information systems.

Watch the post →

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *